I have a pair of FortiGate NVAs that will act as a termination point for IPSec VPN tunnels as well as serve as a backup connection for remote sites that are using expressroute.
The examples online from Microsoft show a similar solution but using the native VPN gateway. I need some help understanding how I can handle routing and failover when I am not using the native VPN gateway.
The parter is providing the expressroute as a spoke off of the existing MPLS network. Routes will be exchanged with Azure that way. I have never worked with expressroute before but I would assume that if the circuit fails or the remote site is unable to access the circuit, that specific route would be removed from the table in Azure via the eBGP relationship from the partner. I am not fully understanding how failover would occur.
A bit more about the architecture:
Two Vnets. One Vnet is the 'gateway' vnet. This would house all of the subnets for the FortiGate NVAs as well as a subnet for the expressroute object. There would be a single UDR for this Vnet. There would then be a second Vnet where shared services would live. This Vnet would be peered with the gateway Vnet. Access to the Internet would exit via the NVAs and remote site traffic would exit via the expressroute object. Where in this scenario would traffic be diverted if the expressroute failed? At the UDR?
Thanks!
If you have express route deployed in a VNET and you start advertising routes from On-Premises,then when see the effective routes of your NVA you can see On-Premises routes next hop as Express route MSEE IP.
When the circuit goes down, those routes will be revoked.
If you have VPN gateway and Express route which is a co-existence setup, where in Express route you are advertising the On-Prem route and with VPN you have declared the routes of On-Premises in Local Network Gateway, and if you see the effective routes in your NVA's NIC, you will have 2 routes to On-Premises, one with Express route and another with VPN. Express route will be the preferred route than VPN. And if Express route fails, the other route which is in place will be acting as a failover.
In your case, if express route fails, the route to On-Prem via Express route will be revoked and you need add a route to forward the traffic via the tunnel.Or else traffic gets dropped in your NVA.
Related
In our Azure tenant we have a Azure Firewall and a VPN connection with our on prem servers. I want to route all traffic through the azure firewall, whether it's incoming traffic from on prem to azure or outgoing traffic from azure to on prem.
For traffic inside azure I have created a routing table for each subnet and pointed to the firewall. Is this correct? And what do I have to configure for the on prem connection part. Further, how can I test it?
Thanks and best regards
To route traffic coming from the on-prem network, through the Azure Firewall, you also need to specify a route on the "GatewaySubnet".
This route table should contain the (Azure) subnets you want to reach from on-prem.
So if you for example have a subnet 10.5.5.0/24 in Azure, and you want to reach that from On-Prem.
Add a route table, with a route to 10.5.5.0/24, next hop type "Virtual Appliance" and Next Hop IP the private IP of your Azure Firewall.
Add this route table to the GatewaySubnet. (Some times you cannot assosiate from within the route table itself, but have to to through Virtual Network > Subnet and specify the route table there.
(And allow the traffic in the Azure Firewall.)
We're setting up IPSEC Over Express route. I was wondering what's the need of VPN gateway and Express Route gateway?
My understanding is that with VPN gateway we can connect over the internet and establish a IPSec Tunnel. But why is it mandatory to create a VPN gateway (when the case is that I want to connect to site-to-site vpn over Express route).
Without creating a VPN gateway, we can't create VPN sites and links. I'm wondering why it's like that.
Expressroute gateway needs to be created in order to establish a connection to Express route circuits. But here also I don't understand the use of Gateway in general.
Is the gateway purpose is just to establish a connection between Azure cloud and Site-to-site or Azure cloud to Expressroute circuits?
The Gateway is used to setup the connection to an ExpressRoute Circuit.
The Gateway can be used for both the purpose of establishing a connection to an ExpressRoute Circuit, and a S2S connection.
It's just a device. The way you configure it determines if it is a S2S over internet, or a S2S via expressroute.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
When you configure a virtual network gateway, you configure a setting that specifies the gateway type. The gateway type determines how the virtual network gateway will be used and the actions that the gateway takes. The gateway type 'Vpn' specifies that the type of virtual network gateway created is a 'VPN gateway'. This distinguishes it from an ExpressRoute gateway, which uses a different gateway type. A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway.
I hope that's a clear enough answer to your question.
How can I prevent Azure Expressroute from learning routes from VPN gateway? We're setting up a IPsec over Azure Expressroute. We want the Azure Expressroute just be a circuit. Right now Azure Expressroute is advertising the routes that's learned from VPN Gateway to the Edge routers.
Is there a way to prevent Azure Expressroute from learning routes from VPN gateway?
Another tough question John!
I have never actually had to verify or look into this.
However, if I just go by what I know from the VPN Gateway: If it is route-based, you need to make routes in order for traffic to go where it needs to go.
So my guess is: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#what-should-i-specify-as-my-address-prefixes-for-the-local-network-gateway-when-i-use-bgp
That page also mentions that when you route 0.0.0.0 to the Azure VPN Gateway all traffic goes egress to the 'on-premise' site. So if you would only route the traffic you want the rest of your VNET wouldn't be known to the S2S tunnel.
We have an Azure Web App and Azure VPN, we've locked down the web app so it's accessible internally only by granting/restricting access via IP addresses (via Access Restrictions page). However users over our VPN are not able to access the web app - when they connect over VPN, the user's external IP address is not from our internal network. We do not want to whitelist everyone's IP address.
If we had the internal IP address of the web app, we have a few options we could try, but we assume this is not available to us.
How would we allow access to a web app for users over a VPN?
Is this something API Management would solve?
If you don't want to whitelist everyone's IP address. You could involve front-ending the Web App with an Azure Application Gateway and restricting access to the Web App such that only connections from the Gateway are allowed.
Azure Application Gateway is a web traffic load balancer. It has a public or a private frontend or both backends, it must deploy in a dedicated subnet. The subnet also supports to restrict the network inbound and outbound traffic with NSG. In this case, you can deploy a private app GW, then the users over VPN will send the HTTP/HTTPS requests to the APP GW frontend, the APP GW receives the requests via Listener and routes the traffic to the appropriate backends based on the routing rules. An application gateway can communicate with to on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed. See supported backend pools and how an application gateway works.
You could get more references from the third way in this blog.
If two vnets are connected to each other via multiple set of peering vnets, how does azure route the traffic? Fo example, lets consider the below: A, B, C, D are 5 VNets and the they are peered (bi-directionally with traffic forwarding allowed).
Now if A wants to send a packet to D, how it is determined whether it will take the A-B-C-D path or the A-E-D path?
Any docs will be helpful.
As far as I know, VNet Peering connections are non-transitive. It seems that it's still on the roadmap. See the feedback here.
From your picture, If only VNet Peering connections between them, then A could not reach D, also A could not reach C. A only could reach direct-connected B and E.
If you want to allow much VNets communication. You could implement a hub-spoke network topology in Azure. As the hub network, you could deploy a VPN gateway then enable allow gateway transit to other spoke VNets and enable use remote gateways in each spoke VNets. If you require connectivity between spokes, consider implementing an NVA for routing in the hub, and using UDR(custom routes) in the spoke to forward traffic to the hub. In this scenario, you must configure the peering connections to allow forwarded traffic.
VNet Peering enables you to connect VNets through the Azure backbone network. Azure automatically creates a route table for each subnet within an Azure VNet and adds system default routes to the table. You can also override some of Azure's system routes with custom routes.
If multiple routes contain the same address prefix, Azure selects the
route type, based on the following priority:
User-defined
route BGP route
System route
You could get more details about Virtual network traffic routing
According to this article you'd need an NVA somewhere, vnet peering is non transitive.
At the beggining of the same article they talk a bit more about this.
To sum it up. packet wont reach D from A unless you fix your networking setup
Some years ago but i think service chaining allows that as far as i understand the documentation
To enable service chaining, configure user-defined routes that point
to virtual machines in peered virtual networks as the next hop IP
address. User-defined routes could also point to virtual network
gateways to enable service chaining.